CVE-2023-25168
Last modified
CVE-2023-25168 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. EPSS estimates a 0.96% chance of exploitation in the next 30 days.
Description
Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`. There are no known workarounds for this issue.
Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pterodactyl | Wings | >= 1.7.0, < 1.7.4 |
| Pterodactyl | Wings | 1.11.0 |
| Pterodactyl | Wings | 1.11.1 |
| Pterodactyl | Wings | 1.11.2 |
| Pterodactyl | Wings | 1.11.3 |
References
- https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83dPatch, Vendor Advisory
- https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83dPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-25168?
How severe is CVE-2023-25168?
How do I fix CVE-2023-25168?
Are you affected by CVE-2023-25168?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST